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Abstract. The problem of memory checking considers storing files on 
an unreliable public server whose memory can be modified by a mali- 
cious party. The main task is to design an online memory checker with 
the capability to verify that the information on the server has not been 
corrupted. To store n bits of public information, the memory checker has 
s private reliable bits for verification purpose; while to retrieve each bit 
of public information the checker communicates t bits with the public 
memory. Earlier work showed that, for classical memory checkers, the 
lower bound s x t G 0{n) holds. In this article we study quantum mem- 
ory checkers that have s private qubits and that are allowed to quantum 
query the public memory using t qubits. We prove an exponential im- 
provement over the classical setting by showing the existence of a quan- 
tum checker that, using quantum fingerprints, requires only s £ O(logn) 
qubits of local memory and t € O (poly log n) qubits of communication 
with the public memory. 



1 Introduction 

The problem of memory checking was first introduced by Blum et al. [2] 
as an extension of program checking. In this problem, a memory checker 
receives a sequence of "store" and "retrieve" operations from a user, and 
the checker has to relay these commands to an unreliable server. By mak- 
ing additional requests to the unreliable memory and using a small pri- 
vate and reliable memory for storing additional information, the checker 
is required to give correct answers (with high probability) to the user's 
retrieve operations that are in accordance the previous store instructions, 
or report error when the information has been corrupted. Blum et al. [2] 
made a distinction between "online" and "offline" memory checkers: an 
online memory checker must detect the error immediately after receiving 
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an errant response from the memory, while an offline checker is allowed 
to output whether they are all handled correctly until the end of the 
operation sequence. 

There are two main complexity measures regarding memory check- 
ers: the space complexity, which is the size of its private reliable memory, 
and the query complexity, which is the size of the messages between the 
memory checker and the public memory per user request. The goal is to 
have a reliable checker with low space complexity and low query complex- 
ity against any (probabilistic, polynomial time) adversary corrupting the 
public memory. 

With s be the space complexity and t the query complexity of an 
online memory checker, both Blum et al. [2] and Naor and Rothblum [6] 
proved that for classical online memory checking one has the lower bound 
s X i G !7(n). 

Our Result We looked at the efficiency of online memory checkers that 

are allowed to operate in a quantum mechanical way. After defining the 
proper model, we present an online memory checker using quantum fin- 
gerprints that requires only s G O(logn) bits of private memory and 
t G O(polylogn) queries to the public memory. We also prove its correct- 
ness and security. Specifically we show that for an error rate e > it is 
sufficient for the memory checker to privately keep 0(log(l/e)) copies of 
the quantum fingerprints of the public memory (each requiring O(logn) 
qubits). The parameters of the specific error correcting code that we use 
for the quantum fingerprints introduces a constant multiplicative term in 
this quantity 0(log(l/e)). 
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2 Preliminaries 

In this section, we present the model of memory checker in the quan- 
tum settings. We also briefly review some of the techniques used in our 
quantum algorithms for online memory checking. 

2.1 Memory Checker 

We first introduce the classical definition of memory checker, and then 
extend it to quantum settings. 



Definition 1. Classical Memory Checkers (see [2, 6]). A memory 
checker is a probabilistic Turing machine C with five tapes: a read-only 
input tape for C to read the requests from user U, a write-only output tape 
for C to write its response to the user's requests or that the memory Ai is 
"buggy", a write-only tape for C to write requests to Ai, a read-only tape 
for C reading response from Ai, and a read-write work tape as a secret, 
reliable memory. 

Quantum Memory checker: In our quantum mechanical extension 
of tiiis definition, tlie input and output tape between C and U both re- 
main classical, as well as the memory Ai. The checker C, however, is now 
allowed to make quantum queries to the memory Ai and the secret work- 
tape of C and the two read and write-only tapes between C and Ai now 
support quantum bits. This model is illustrated in Fig. 1. 
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Fig. 1. A quantum mechanical memory cliecker: Tlie user presents classical "store" 
or "retrieve" request to the checker, which, with high probability, returns the correct 
answer or reports "buggy" when the memory has been corrupted. The checker can 
make quantum queries to the memory, such that it acquires a superposition of values. 
In addition, the checker is also allowed to have a private, secure work tape that consists 
of qubits and that is much smaller than the public memory. 

The user U presents the "store" and "retrieve" requests to C and after 
each "retrieve" request, C must write an answer to the output tape or 
output that Ai is "buggy" if the public memory Ai has been corrupted. 
We say a memory acts correctly if the returns of a "retrieve" operation 
are consistent with the contents written by the previous adjacent "store" 
operation. For any operation sequence of polynomial length in the total 



size n of the data stored hy U on M. and error rate < e < 5, it is 
required that: 

— If A^'s output to the "retrieve" operation is correct, C also answers 
Z^'s request with correctness probability at least 1 — e. 

— If TW's output is incorrect for some operation, C outputs "buggy" with 
probability at least 1 — e. 

There are two important measures of the complexity of a memory 
checker: the size s of its secret memory (the space complexity) and the 
number t of bits exchanged between C and Ai per request from the user 
(the query complexity). We follow the convention that we only consider 
the query complexity for retrieve requests such that the query complexity 
for store requests may be unbounded. Obviously, if the secret memory is 
sufficiently large, the solution to this problem is trivial as C can simply 
store the n bits on its work-tape. More interesting is the case where the 
space complexity t is sublinear (typically logarithmic) in n. 

As noted in [2] and [6] , memory checkers can be categorized into "on- 
line" and "offline" versions. In the offline model, the checker C is allowed 
to output "buggy" at any point before the last "retrieve" request in the 
sequence if M^s answers to some request is incorrect. The online model 
is more restricted as C is required to detect the error immediately once 
Ai gives an incorrect answer to the request. 

In this paper, we focus on online memory checkers. As noted in the 
Introduction, it is known that for classical online memory checkers, we 
have the lower bound s x t e f2{n) [6]. Below it will be shown that with 
quantum memory checkers one can get an exponential reduction on this 
lower bound. 

2.2 Quantum Simultaneous Message Protocol 

Buhrman et al. [3] extended the classical simultaneous message (SM) 
model [9, 7] to the quantum setting. In this model there are three players: 
Alice has a bit-string x, Bob has another bit-string y, and they do not 
share entanglement or randomness, but they each send one quantum mes- 
sage to a referee, Carol, who tries to compute the function value f{x, y). 
The complexity measure of this protocol is the number of qubits used in 
the messages. Classically, for the Equality function (Carol's output has 
to be / = 1 if X = y, and / = otherwise), Newman and Szegedy [7] 
showed that the randomized SM complexity of the EQUALITY function on 
{0, 1}" has the lower bound Q{^/n). Buhrman et al. presented a quantum 



protocol for the EQUALITY function that enabled the referee to compute 
f{x,y) by comparing the two "quantum fingerprints" IV'x) and \il)y) oi x 
and y sent by Alice and Bob, respectively. The communication complexity 
of this protocol is O(polylogn) qubits. 

The protocol works as following: for x,y € {0, 1}" we use an error 
correcting code E : {0, 1}" — )• {0, 1}™ with m = cn. The Hamming 
distance between two distinct codewords E{x) and E{y) (with x ^ y) is 
at least Sm,, with S > a constant. Let Ei{x) denote the z*'* bit of E{x). 
Alice constructs the superposition 
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as the fingerprint of her input x. Similarly Bob construct \ipy) for his 
input y and both of them send the fingerprints (of size logm = O(logn) 
qubits) to Carol. Carol performs the "Controlled-SWAP test" shown in 
the following circuit: 
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If the measurement of the first register is 0, Carol decides that x = y; 
otherwise she concludes x 7^ y. It is easy to show that the probability 
of Carol measuring "0" equals ^ + ^KV'xIV'?/)!^ the probability of 
measuring "1" is ^ — 5KV'x|V'y)P- Therefore, when x = y the probability 
of Carol measuring "0" is 1, while when x ^ y the probability of measuring 
"0" is at most | + ^\{'tpx\ipy)\'^ ■ If we perform this test repeatedly for k 
copies of {ijjx) and \ipy) with x ^ y, the probability of measuring all zeros 
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)'^, which decays exponentially in k. 



2.3 Locally Decodable Codes 

To construct the quantum fingerprints, we first encode the string using 
error correcting codes. In this paper, we use a locally decodable codes 
(see for example Katz and Trevisan [5]) such that a single bit xj of the 
original data can be probabilistically reconstructed by reading only a 
small number of locations in the encoding E{x). Formally speaking [5], for 
fixed 6, e > and integer q we say that E : {0, 1}" — ^ {0, 1}™ is a (g, 6, e)- 
locally decodable code (LDC) if there exists a probabilistic algorithm that 



reads at most q bits of E{x) to determine one of the bits of Xj and if that 
same algorithm returns the correct value with probability at least 1/2 + e 
on all strings y G {0, 1}"* with Hamming distance d{y,E{x)) < 5m. 

It is not important for us to choose a perfect LDC in our memory 
checker. In our algorithm, considering the fact that it takes too much time 
if it starts from the original string to construct the quantum fingerprints, 
we encode the string and store its codeword on the public memory to 
speed up the processing. On the other hand, if wc use any other error 
correcting code where decoding requires to query the whole codeword, it 
takes too much time for the user to retrieve a bit. This leads us to use 
LDCs. For our purposes it will be sufficient to use the construction of 
Babai et al. [1], who constructed an LDC with q G polylog(n) queries and 
m G Oin^) for fixed 5 and e. 

3 Quantum Algorithm for Online Memory Checking 
In this section, we state the main theorem of this paper. 

Theorem 1. For any error rate e > 0, there exists a quantum online 
memory checker with space complexity s G 0(log(l/e) logn) and query 
complexity t G 0(log(l/e) logn + polylogn), where n is the size of the 
public bitstring. This checker answers the user correctly with constant 
probability at least 1 — e when the memory Ai acts correctly, and it replies 
"buggy" with probability at least 1 — e when M has been corrupted. 

We prove Theorem 1 by presenting a quantum online memory checker 
with the claimed upper bounds on the space complexity s and query 
complexity t of the checker. 

3.1 Online Memory Checking Using Quantum Fingerprints 

The proposed quantum memory checker C uses the following ingredients. 
Let X = xi . . .Xfi be the string that the user U wants to write to the 
public memory A4. 

Public: The memory checker C uses a g-query locally decodable code 
E : {0, 1}" {0, 1}" and writes the codeword E{x) G {0, 1}™ to the 
public memory M. 

Private: The memory checker maintains k copies of the quantum finger- 
print 




of X in its private memory (the value of k will be determined later). 

Every time a "retrieve" instruction is executed, the memory checker ob- 
tains k summary states \y) of the current state of the public memory Ai. 
By comparing these new quantum fingerprints with those in the checker's 
private memory, the checker can detect any malicious changes that would 
corrupt the decoding of E(x) to the public memory with high probability. 
Specifically, the checker uses the following two protocols. 

Retrieve (xi) protocol: 

— When a "retrieve" request is issued by the user the memory checker 
queries the public memory to obtain k "summary states" 



— The checker performs the Controlled-SWAP test on the k copies of 
\y) and {ipx) as defined in Section 2.2. 

— If any of the k measurement outputs 1, the checker replies "buggy". 

— Otherwise, the checker runs the decoding algorithm of the locally de- 
codable code E to reconstruct the bit xj the user requests (which 
requires q queries to the public memory) and returns this bit to the 
user. 

— The checker then replaces the \tpx) fingerprints in its local memory 
with k new summaries \y) of the public memory. 

Store (a;) Protocol: 

— When a "store" request is issued, the checker first queries the public 
memory as in the first 3 steps of the previous protocol to verify that 
the public memory and private fingerprints coincide with each other. 

— The checker computes the codeword E{x) for the new input and writes 
it to the memory. 

— It also computes new fingerprint \tpx) and stores k copies into its 
private memory. 

The complexity measure of this protocol is as follows. For simplicity, we 
assume here the sub-optimal parameters of the LDC of Babai et al. [1] 
with q G poly log n and m G O(n^). The space complexity is the private 
memory holding the fingerprints of x, which is 0{k log n) qubits; the query 
complexity is the number of qubits answered by Ai per request, which 
includes the k copies of the fingerprints and the queries of LDC; this 
amounts to 0{klogn + polylogn) qubits. 




3.2 Correctness of the Quantum Online Memory Checker 



Based on the definition of online memory checker in Section 2, a correct 
checker should answer the user correctly when the public memory Ai is 
correct with probability at least 1 — e; and the checker should detect the 
error when TW's output is incorrect with probability also at least 1 — e, 
such that < e < I is the error rate of the protocol. Let us examine the 
behavior of our quantum online memory checker. 

— When Ai is uncorrupted, i.e. when y = E{x), we have = 1 
and the probability of measuring after the Controlled-SWAP test is 
1. Hence the checker will output the correct answer in this case. 

— When M. has been changed by the adversary, i.e. when y ^ E{x), 
Lemma 1 and Lemma 2 applies. 

Lemma 1. Assume a memory checker uses error correcting codes of 

length m with Hamming distance between two distinct codeword being at 
least 6m (where 6 > is a constant). With k = [" iog(i^2/+2j^) 1 copies of 
the fingerprint {ipx), the checker will detect the difference between the two 
fingerprints IV's) and \tpx) with probability at least 1 — e. 

Proof. Since we are using error correcting code where two distinct code- 
words have Hamming distance at least Sm, at least 6m bits of the public 
memory have been changed. Hence for two distinct codeword E[x) and 
E{x), \{ipx\ipx)\ < 1 — 25. Therefore, for k copies, we measure all zeros 
with probability at most 

(i±KM^)^<(l_25 + 25Y. 

In order for the checker to detect the error of the memory with proba- 
bility at least 1 — e, the above equation should have a value less than e. 
Therefore, if we pick k > \ iog(^i^2S+2S'^) '\ ' checker will output "buggy" 
with probability at least (1 — e) when M is corrupted. 

Lemma 1 only deals with the situation where the codeword is changed 
to another codeword. There remains one problem though. The adversary 
can change a few bits of M in small steps such that at no point there 
will be big difference between the summary of the public memory and the 
private fingerprints of the checker. But after a sequence of such changes, 
the codeword can eventually be changed into another E{x) with x ^ x. 
In this situation, we have to determine if it possible for the checker to 
detect the attack with high probability. Let us formalize this situation. 



Problem of incremental changes of public memory: The adversary changes 
a codeword E{x) into another legal codeword E{x) with x / x in T steps: 
in each step, the adversary flips di bits of the public memory {I < i < T), 
so that at step T, it will be changed into another codeword, i.e. Yli=i di > 
6m. Without loss of generality, we assume that in each step the adversary 
changes different bits, so that once a bit is flipped in one step, it will not 
be flipped back in the following steps. The problem we are interested in 
is what the probability is for the checker to detect such an attack. 

In each step, the probability for the checker to accept the response 
from M is at most ^ + ^{\{^x\^y)\^) = 2 + 2(1 - ^f- Define A := | 
such that A = Yli=i ^ ^- Therefore, the probability Pt for the checker 
to measure all "0" (accept) for all T steps is 

T 

PT{A,,...,AT) = Yl{l-2A + 2Af). 

i=l 

Lemma 2. // the adversary changes Am bits of the codeword in T steps, 

then the highest possible probability of the checker not detecting the cor- 
ruption is achieved if all bits get flipped in one step. That is, for all Ai >0 
with zAi H h At = A we have Pt{Ai, At) < PiiA). 

Proof. We prove this lemma by induction on T. 

First, we prove that P2{Ai, A2) < PiiAi + A2). We have 

Pi{Ai + A2) = PiiA) = l-2A + 2A^ 

and 

P2{Ai,A2) = P2{AuA-A^) 

= (1 - 2zAi + 2Al) (1 - 2{A - A{) + 2{A - A^f) 

Therefore, 

Pi(Z\i + A2) - P2{Ai, A2) = AAi{A - Ai){A + Ai{A - Ai)) > 

The last inequality holds because < Z\i < Z\. 

Assuming the lemma holds for all T = A; — 1, let us examine T = k. 

k 

Pk{Ai, . . . , = J] (1 - 2A + 2A') 

i=l 



By definition and the induction hypothesis for T = 2 and T = k — 2, 



Therefore, Lemma 2 holds for all T > 1. 

From this lemma it follows that the probability that the adversary remains 
undetected is bounded by Pt(^i, • • • , ^t) < Pi{S) = I - 26 + 26"^, with 
Ai-\ \-At>S. 

The just derived probabilities are based on one copy of \ipx) and \y). 
When we have k copies, the probability of measuring all zeros is not 
greater than {1 - 26 + 26"^)^. Therefore, if we pick k > \ iog{i-25+25'2) ] ' 
the checker will output "buggy" with probability at least (1 — e) if is 
being corrupted. 

Therefore, we can conclude that when wc pick k > [" iog(il°2/+2(5^) 1 ' 
quantum online memory checker works correctly. Since 6 and e are prede- 
termined constants, is a constant as well. Therefore, the total complexity 
of this checker is: space complexity 0(log(l/e) logn) and query complex- 
ity 0(log(l/e) log n + polylogn). This finishes the proof of Theorem 1. 

Applying the same techniques as in [6] , we have the conclusion that our 
algorithm reaches the lower bound for quantum online memory checking. 

4 Open Question 

The online memory checker in this article uses quantum mechanics both 
in its local memory and the communications with the public memory. A 
variation of this model is a checker that stores quantum information in its 
local memory, but communicates in classical bits to the public memory. 

In a simultaneous message protocol, if one message is quantum, while 
the other is restricted to be classical, Regev and De Wolf have shown that 
it requires a total of J7(^n/logn) bits/qubits to compute the Equality 
function [4], and hence such a hybrid setting is not significantly more 
efficient than classical-classical protocols. This result however does not 
directly translate into a lower bound on the sxt complexity for quantum 
memory checking with classical communication. 

Using the same techniques as in [6] , a quantum online memory checker 
with classical queries can be reduced to a modified consecutive messages 
(CM) protocol. In this CM protocol, Alice is allowed to send quantum 



Pk{Ai,...,Ak) = Pk-2{Ai, 
<Pi{Ai + - 
<Pi(/Ai + . 



,Ak-2)- P2{Ak-i,Ak) 
+ Ak-2) ■ PiiAk-i + Ak) 
+ Ak) = Pi{A) 



messages to Carol and publish a quantum public message, while Bob is 
restricted to classical messages. For this CM protocol, there is an efficient 
solution as following: Receiving an input x, Alice computes its quantum 
fingerprints {tpx) and publish it as a public message; Bob, receiving y, 
computes a quantum fingerprints {tpy) and compares it with \^x)', Bob 
then sends Carol the result of the Controlled-SWAP testing, who out- 
puts the final result. The communication complexity for this protocol is 
O(logn). 

Due to the difi"ercnce between the quantum-classical CM model and 
SM protocol for Equality testing, it is not easy to draw a conclusion for 
the lower bound of quantum online memory checking with classical com- 
munications. Nevertheless wc conjecture that there is no efficient quantum 
online memory checker for this setting. 

5 Conclusion 

In this paper, we consider the problem of constructing an online memory 
checker. By using the quantum fingerprints, we reduce the space com- 
plexity s and query complexity t from s x t E fi{n) to s G O(logn) and 
t e O(logn). 
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